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REMARKS 

The Examiner has rejected Claims 1, 3-1 1, 13-19, 30, and 31-35 under 35 U.S.C, 
103(a) as being unpatentable over Vaidya (U.S. Patent No. 6.279,1 13 B.1), in view of Li 
et at (U.S. Patent No. 6,567,408 B I). Further, the Examiner has rejected Claims 20-29 
under 35 U.S.C 103(a) as being unpatentable over Cope! and, 01 (U.S. Publication No, 
2002/01441 56 A 1), in view of Li et al (U.S. Patent No. 6.567.408 B 1). Applicant 
respectfully disagrees with such rej< J tns. especiall) in view of the amendments made 
hereinabove to the independent claims. Specifically, applicant has amended independent 
Claims 1 and 30 to at least substantially include the subject matter of former dependent 
Claims 10 and 11, 

To establish & prima facie case of obviousness, three basic criteria must be met. 
First, there must be some suggestion or motivation, either in the references themselves or 
in the knowledge generally available to one of ordinary skill in the art. to modify the 
reference or to combine reference teachings. Second, there must be a reasonable 
expectation of success. Finally, the prior art reference (or references when combined) 
must teach or suggest ail the claim limitations. The teaching or suggestion to make the 
claimed combination and the reasonable expectation of success must both be found in the 
prior art and not based on applicant's disclosure, in re Vaeck.947 F.2d 488, 20 USPQ2d 
1438 (Fed.Cir.1991). 

With respect to the first element of the prima facie case of obviousness and, in 
particular, the obviousness of combining the Vaidya and Li references, the Examiner 
argues that "it would have been obvious... to employ the teachings of Li within the 
system of Vaidya in order to enhance the performance and efficiency of the system." 

i : >ectfull) asserts that it would not have been obvious to 

combine the teachings of the Vaidya and Li references, especially in view of the vast 
evidence to the contrary. 
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For example, Vaidya relates to an intrusion detection system, while Li relates to a 
s) siem to t . 1 - ■ : for providing a plurality of different levels of service. To 

simply glean features from a packet classification system, such as that of Li, and combine 
the same with the non-ai ogous art o i i >, such as that of 

Vaidya, would simply be improper. The packet classification system of Li simply 
classifies packets for providing different levels of gu 1 r\ e over a network, 

whereas the intrusion detection system of Vaidya detects packets associated with a 
network intrusion. "In order to rely on a reference as a basis for rejection of an 
applicant's invention, the reference must either be in the field of applicant's endeavor or. 
i f not, then be reasonably pertinent to the particular problem with which the inventor was 
concerned." In re Oetiker, 977 F.2d 1443, 1446, 24 USPQ2d 1443, 1445 (Fed. Cir. 1992), 
See also In re Deminski, 796 F.2d 436, 230 USPQ 3 1 3 (Fed. Cir. 1 986); In re Clay, 966 
F.2d 656, 659, 23 USPQ2d 1058, 1060-61 (Fed. Cir. 1992) In view of the vastly 
different types of problems the packet classification system of Li addresses, which 
merely relate to quality of service, as opposed to the intrusion detection system of 
Vaidya, the Examiner's proposed combination is inappropriate, 

In. addition, with respect to the obviousness of combining the Li and Copeland 
references, the Examiner argues that "it would have been obvious to one having ordinary 
skill in the art at the time of applicant's invention to employ the teachings of Li within 
the system of Copeland in order to enhance the performance and efficiency of the 
system." Applicant disagrees and respectfully asserts that it would not have been obvious 
to combi ne the teach ings of the Copeland and Li references, especial ly in vie w of the vast 
evidence to the contrary. 

For example, Copeland relates to a method for detecting unauthorized network 
usage based upon pM.projjliug , while Li relates to a c]as_sifi,cation method for classifying 
packets. To simply glean features from a port profiler, such as that of Copeland, and 
combine the same i th the mm- a og ts art ol " s ch as that of Li, 

would simply be improper, in particular, the port profiler of Copeland merely detects 
unauthorized usage (Copeland. Abstract), while the packet classifier of Li simply 
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cl ossifies packets for providing different levels of quality of service over a network (Li, 
Abstract). In view of the- vastly different types of problems a p i > • iddresses as 
opposed to a fiacket - c]assifier, the Examiner's proposed combination is inappropriate. 

Thus, applicant respectfully asserts that the first clement of the prima facie ease of 
obviousness has not been met, as noted above. More importantly, applicant also 
respectfully asserts that the third element of the prima facie case of obviousness has not 
been met by the prior art references relied on by the Examiner. For example, with respect 
to independent Claim 20. the Examiner has relied on paragraphs [01 57]-[0159] and 
[01 63 HO 165] from the Copeiand reference to make a prior art showing of applicant's 
claimed "detection engine operable to perform a table lookup at the flow table to select 
an action to be performed on said classified packets based on the classification, wherein 
comparing said classified packets to at least a subset of the signature profiles is one of the 
actions'' (as currently amended), 

Applicant respectfully asserts that the excerpts relied on by the Examiner merely 
disc-lose that "the flow collector thread,., searches linearly through the entire flow data 
structure ... to find flows that have been inactive for a certain time period" after which "a 
logic tree analysis is done to classify [the inactive flows ] as either a normal flow, or a 
potential probe or other suspicious activity" (paragraph [0157] emphasis added). 
Further, the excerpts teach that "[tjhe packet classifier thread 610 collects information on 
network operations such as packets and bytes" and that "[t]he alert manager thread 630 
writes the iij t jot j les for use by the user interface (paragraph 

[01 65] - emphasis added). 

However, merely teaching the classification of inactive flows and the writing of 
updated data to output files tails to teach "a detection engine operable to perform a table 
lookup at the flow table to select an actii if' I p_c ' ted o; ai clas fled packets 

- k -uiou " and does not even suggest '' comparing said classified packets 
to at least a subset of the signature profiles" (emphasis added), as claimed by applicant. 
Clearly, classifying inactive flows, as in Copeiand, fails to meet "selecting] an action to 
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be performed on said packet based on its classification" (emphasis added), in the manner 
as claimed by applicant. 

Applicant respectfully asserts that at least the first and third elements of the prima 
facie case of obviousness have not been met, since it would ne| have been obvious to 
combine the prior art references, and since the prior art references, when combined, fail 
to teach or suggest all of the claim limitations, as noted above. Nevertheless, despite 
such paramount deficiencies and in the spirit of expediting the prosecution of the present 
application, applicant has substantially incorporated the subject matter of former 
dependent Claims 10 and 11 into independent Claims 1 and 30. 

With respect to the subject matter of former Claims 1 0 and .1 .1 (now at least 
substantially incorporated into independent Claims! and 30), the Examiner has relied on 
Col. 7, lines 2-1 J and Col. 9, lines 27-35 of the Vaidya reference to make a prior art 
showing of applicant's claimed "performing a table lookup to select an action to be 
performed on said classified packets based on the classification" and technique "wherein 
one of the actions is comparing said classified packets to at least a subset of the signature 
pro files." 

Applicant respectfully asserts that the excerpts from Vaidya relied on by the 
Examiner simply teach that "[ijfa network intrusion is detected, the reaction module is 
notified" (Col. 7, lines 6-7) and that ki [t]he reaction module. . . takes steps to trace the 
application session associated with the data packet, to terminate the session, and/or to 
noti fy the network administrator" (Col. 7, lines 8-11 - emphasis added). However, 
merely teaching notifying a reaction m • ... . . session, terminate the 
session, and notify the network admin istrator tails to teach any sort of table lookup , let 
alone specifically "performing a table lookup to select an - s :- : I.Q.P .. to be performed on said 
classified packets base n tl ion" (emphasi I) as claimed by applicant. 

Clearly, the reaction module that can trace and terminate the session fails to meet 
•'seleclfing] an action to be performed on said classified packets based on the 
classification" (emphasis added), in the manner as claimed by applicant. 
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Furthermore, the excerpts from Vaidya relied on by the Examiner simply teach 
that "building the instruction cache 42 includes the step 1 .1 2 of crea ting a hash index 
based on the server IP address and the application information in the register cache 40" 
(Col. 9, lines 27-30 - emphasis added). In addition, Vaidya teaches that "the hash index 
is used to search die signature profile memory 39 for a set of attack signature profiles 
corresponding to tin , j itioj issoc i tied w ith the packet information" (Col. 

9, lines 33-36 - emphasis added) where "p]f the search identifies a corresponding profile, 
the attack signature profiles signatures are imported into the instruction cache in step 
120" (Col. 9, lines 43-45 - emphasis added). 

However, the mere disclosure of creating a hash index which is used to search for 
aMack.signature.proiljes corresponding to the server and application associated with the 
packet, information in order to import profile signatures into the instruction cache, as in 
\ iidya tai ls o te ^ ■ i s and especially not " comparing said das ified 

packets to at least a subset of the signature profiles" (emphasis added), as claimed by 
applicant. Clearly, searching a hash index for server IP address and application 
information fails to meet "comparing said classified packets." in the manner as claimed 
by applicant. 

Again, applicant respectful ly asserts that at least the first and third elements of die 
prima facie case of obviousness have not been met, as noted above. Thus, a notice of 
allowance or proper prior art showing of each of the foregoing claim elements, in 
combination with the remaining claimed features, is respectfully requested. 

To this end, all of the independent claims are deemed allowable. Moreover, the 
remaining dependent claims are further deemed allowable, in view of their dependence 
on such independent claims. 

In the event a telephone conversation would expedite the prosecution of this 
application, the Examiner may reach the undersigned at (408) 505-5100. The 
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Comroisskraer is authorized to charge any additional fees or credit any overpayment to 
Deposit Account No. 50-1351 (Order No. NAI1P3 18/0 1.240.01). 



Respectfully submitted, 
Zilka-Kotab, PC. 
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